79be4a20f5f951bcfeebe587556ecceb4c2d854334f2c723751c0aedc158f500

General

Target

494161eb70dd58f5bcbe451ed7e89711_JaffaCakes118.exe
Size

286KB
MD5

494161eb70dd58f5bcbe451ed7e89711
SHA1

57786aabe6339ce090e7d053190a81773c277558
SHA256

79be4a20f5f951bcfeebe587556ecceb4c2d854334f2c723751c0aedc158f500
SHA512

ea34a9ba8a4996b708f31783b35640ea1c7f98bf2a95147158cabdc1eb25866fd46b0697915d2ca03ff6f1f0d566408c9236f40cdba8ad11a5c134c6d775d9e4
SSDEEP

6144:ZsehzRFabttq+EYeCes/e7Nf6cIQND5I7xi:ZrOxEYek6EV0D5I7xi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2092	DotNetSetup.exe
4752	InstallerAny.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	494161eb70dd58f5bcbe451ed7e89711_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4752	InstallerAny.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 2092	4568	494161eb70dd58f5bcbe451ed7e89711_JaffaCakes118.exe	85
PID 4568 wrote to memory of 2092	4568	494161eb70dd58f5bcbe451ed7e89711_JaffaCakes118.exe	85
PID 4568 wrote to memory of 2092	4568	494161eb70dd58f5bcbe451ed7e89711_JaffaCakes118.exe	85
PID 2092 wrote to memory of 4752	2092	DotNetSetup.exe	86
PID 2092 wrote to memory of 4752	2092	DotNetSetup.exe	86

C:\Users\Admin\AppData\Local\Temp\494161eb70dd58f5bcbe451ed7e89711_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\494161eb70dd58f5bcbe451ed7e89711_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DotNetSetup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DotNetSetup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\InstallerAny.exe
    ".\InstallerAny.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DotNetSetup.exe

Filesize
468KB

MD5
8f5b9c5da53ab29fa38f5daa52cc9a5b

SHA1
e2742abd0eff817bb1733374daac23be9bdcd0ff

SHA256
19def4bdfa0477e6f3479ab8870815a76f1f1962cec05a2b740538f5de26b5f8

SHA512
d378a4fe7f240b97ebfa4140850d59773cef47e9476ff29e59cab4b4cf332863ba7258af7e817343a00f14b81a0403a5f1ec5d234f68348a0265f01c0d197e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.xml

Filesize
64KB

MD5
bf03d5a291ed49d73f6a49458b8b2114

SHA1
71a81865f8bb530b6a1342f0c19bb88c3b8c7e21

SHA256
1b41355cd5d0b5c082df9d00d57a40adeee184e172f8aa1938b65f083fa316b8

SHA512
3680078ff7f953a8517bba1eda632a5f9c7ff1239480652e7df360d74340d6a8be26487c798f613a8d03dd92b3870a54925a0b885ea637f224ba8512aea7be3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Installer.log

Filesize
6KB

MD5
6df59a1c410f950cc5f539c34a940647

SHA1
29507c38dd803f10f5dd92ba794688f755965a03

SHA256
d979d5253542169a1ad434590119d9e562749dcf12c596b6de4d8d68f631ba95

SHA512
475d2c864d8a0c21411965ec0afeecfe9065ceb8161f4a5cabc4a961f373a1bae88a9e6da56dcf836a8f8b41e90ca0c355645e93f8c4e54a2f8707c21086c033

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\InstallerAny.exe

Filesize
196KB

MD5
03344afd8130863c40c47c319fcee7b8

SHA1
8404762cb5e6cdb886fdf9ad7e3754bbda88d953

SHA256
ca9aa487ce7cf8f35d37048665960b438f77aa5a543c52086c7134416db5dba0

SHA512
a3b5b88f741765870d45f8a9d5124f54747880fadfc5d18699e6cb5eaf014aec30065b7f3863a8cac94699730bec4fbef7823f46656e32362d2fbff7325888a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WSysLib.Installer.Runtimes.wSetup.dll

Filesize
44KB

MD5
20f0aeb8d792c2e19941d0bb1a6b06bd

SHA1
7ec218740813a977b708dcb77c5dc694e866faa6

SHA256
255017219327f4c1e34f7d26ab55a6bce29d7399f36cbf00b2009a1dba929de2

SHA512
5ee6759997891a0d5d0c5bef4269376a89705bc886524ee4f58515fc1b751ebf9d74b29ace732c93b3076e8b754c1ee5627c883416f23a1ceb6322f61364715f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WSysLib.Installer.dll

Filesize
280KB

MD5
11b1323b20ba76eb41a79f10c5ff479b

SHA1
05242c7589873fe91d7b6d75973633b834598b31

SHA256
19702764142e3afa9f9fbbd7b8c4f08f2dab03cfbfeb8ea774955e2473f37214

SHA512
ef3331d89f246276125212366d793e97815a33880ea9d36462520511d5fd411d3d000b8500fbe8a6130065d1ddac122dfbdde389f2d804680d72d561ca17aae8

Download Submit
memory/2092-128-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2092-15-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/4752-27-0x000000001BA60000-0x000000001BA6E000-memory.dmp

Filesize
56KB

Download
memory/4752-24-0x000000001C6C0000-0x000000001CB8E000-memory.dmp

Filesize
4.8MB

Download
memory/4752-19-0x00007FFB496C5000-0x00007FFB496C6000-memory.dmp

Filesize
4KB

Download
memory/4752-21-0x000000001B9B0000-0x000000001B9FA000-memory.dmp

Filesize
296KB

Download
memory/4752-29-0x000000001CE50000-0x000000001CEB2000-memory.dmp

Filesize
392KB

Download
memory/4752-35-0x000000001D220000-0x000000001D2BC000-memory.dmp

Filesize
624KB

Download
memory/4752-38-0x000000001CC70000-0x000000001CC78000-memory.dmp

Filesize
32KB

Download
memory/4752-23-0x00007FFB49410000-0x00007FFB49DB1000-memory.dmp

Filesize
9.6MB

Download
memory/4752-127-0x000000001E7A0000-0x000000001EAAE000-memory.dmp

Filesize
3.1MB

Download
memory/4752-22-0x00007FFB49410000-0x00007FFB49DB1000-memory.dmp

Filesize
9.6MB

Download
memory/4752-129-0x00007FFB496C5000-0x00007FFB496C6000-memory.dmp

Filesize
4KB

Download
memory/4752-130-0x00007FFB49410000-0x00007FFB49DB1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads